gitea/models/repo_permission_test.go

// Copyright 2018 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package models

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestRepoPermissionPublicNonOrgRepo(t *testing.T) {
	assert.NoError(t, PrepareTestDatabase())

	// public non-organization repo
	repo := AssertExistsAndLoadBean(t, &Repository{ID: 4}).(*Repository)
	assert.NoError(t, repo.getUnits(x))

	// plain user
	user := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
	perm, err := GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// change to collaborator
	assert.NoError(t, repo.AddCollaborator(user))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// collaborator
	collaborator := AssertExistsAndLoadBean(t, &User{ID: 4}).(*User)
	perm, err = GetUserRepoPermission(repo, collaborator)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// owner
	owner := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
	perm, err = GetUserRepoPermission(repo, owner)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// admin
	admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
	perm, err = GetUserRepoPermission(repo, admin)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}
}

func TestRepoPermissionPrivateNonOrgRepo(t *testing.T) {
	assert.NoError(t, PrepareTestDatabase())

	// private non-organization repo
	repo := AssertExistsAndLoadBean(t, &Repository{ID: 2}).(*Repository)
	assert.NoError(t, repo.getUnits(x))

	// plain user
	user := AssertExistsAndLoadBean(t, &User{ID: 4}).(*User)
	perm, err := GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.False(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// change to collaborator to default write access
	assert.NoError(t, repo.AddCollaborator(user))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// owner
	owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
	perm, err = GetUserRepoPermission(repo, owner)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// admin
	admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
	perm, err = GetUserRepoPermission(repo, admin)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}
}

func TestRepoPermissionPublicOrgRepo(t *testing.T) {
	assert.NoError(t, PrepareTestDatabase())

	// public organization repo
	repo := AssertExistsAndLoadBean(t, &Repository{ID: 32}).(*Repository)
	assert.NoError(t, repo.getUnits(x))

	// plain user
	user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
	perm, err := GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// change to collaborator to default write access
	assert.NoError(t, repo.AddCollaborator(user))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// org member team owner
	owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
	perm, err = GetUserRepoPermission(repo, owner)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// org member team tester
	member := AssertExistsAndLoadBean(t, &User{ID: 15}).(*User)
	perm, err = GetUserRepoPermission(repo, member)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
	}
	assert.True(t, perm.CanWrite(UnitTypeIssues))
	assert.False(t, perm.CanWrite(UnitTypeCode))

	// admin
	admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
	perm, err = GetUserRepoPermission(repo, admin)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}
}

func TestRepoPermissionPrivateOrgRepo(t *testing.T) {
	assert.NoError(t, PrepareTestDatabase())

	// private organization repo
	repo := AssertExistsAndLoadBean(t, &Repository{ID: 24}).(*Repository)
	assert.NoError(t, repo.getUnits(x))

	// plain user
	user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
	perm, err := GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.False(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// change to collaborator to default write access
	assert.NoError(t, repo.AddCollaborator(user))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))
	perm, err = GetUserRepoPermission(repo, user)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.False(t, perm.CanWrite(unit.Type))
	}

	// org member team owner
	owner := AssertExistsAndLoadBean(t, &User{ID: 15}).(*User)
	perm, err = GetUserRepoPermission(repo, owner)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// update team information and then check permission
	team := AssertExistsAndLoadBean(t, &Team{ID: 5}).(*Team)
	err = UpdateTeamUnits(team, nil)
	assert.NoError(t, err)
	perm, err = GetUserRepoPermission(repo, owner)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}

	// org member team tester
	tester := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
	perm, err = GetUserRepoPermission(repo, tester)
	assert.NoError(t, err)
	assert.True(t, perm.CanWrite(UnitTypeIssues))
	assert.False(t, perm.CanWrite(UnitTypeCode))
	assert.False(t, perm.CanRead(UnitTypeCode))

	// org member team reviewer
	reviewer := AssertExistsAndLoadBean(t, &User{ID: 20}).(*User)
	perm, err = GetUserRepoPermission(repo, reviewer)
	assert.NoError(t, err)
	assert.False(t, perm.CanRead(UnitTypeIssues))
	assert.False(t, perm.CanWrite(UnitTypeCode))
	assert.True(t, perm.CanRead(UnitTypeCode))

	// admin
	admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
	perm, err = GetUserRepoPermission(repo, admin)
	assert.NoError(t, err)
	for _, unit := range repo.Units {
		assert.True(t, perm.CanRead(unit.Type))
		assert.True(t, perm.CanWrite(unit.Type))
	}
}
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 14:26:14 +03:00			`// Copyright 2018 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package models`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestRepoPermissionPublicNonOrgRepo(t *testing.T) {`
			`assert.NoError(t, PrepareTestDatabase())`

			`// public non-organization repo`
			`repo := AssertExistsAndLoadBean(t, &Repository{ID: 4}).(*Repository)`
			`assert.NoError(t, repo.getUnits(x))`

			`// plain user`
			`user := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)`
			`perm, err := GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// change to collaborator`
			`assert.NoError(t, repo.AddCollaborator(user))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// collaborator`
			`collaborator := AssertExistsAndLoadBean(t, &User{ID: 4}).(*User)`
			`perm, err = GetUserRepoPermission(repo, collaborator)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// owner`
			`owner := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)`
			`perm, err = GetUserRepoPermission(repo, owner)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// admin`
			`admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)`
			`perm, err = GetUserRepoPermission(repo, admin)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`
			`}`

			`func TestRepoPermissionPrivateNonOrgRepo(t *testing.T) {`
			`assert.NoError(t, PrepareTestDatabase())`

			`// private non-organization repo`
			`repo := AssertExistsAndLoadBean(t, &Repository{ID: 2}).(*Repository)`
			`assert.NoError(t, repo.getUnits(x))`

			`// plain user`
			`user := AssertExistsAndLoadBean(t, &User{ID: 4}).(*User)`
			`perm, err := GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.False(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// change to collaborator to default write access`
			`assert.NoError(t, repo.AddCollaborator(user))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// owner`
			`owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)`
			`perm, err = GetUserRepoPermission(repo, owner)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// admin`
			`admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)`
			`perm, err = GetUserRepoPermission(repo, admin)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`
			`}`

			`func TestRepoPermissionPublicOrgRepo(t *testing.T) {`
			`assert.NoError(t, PrepareTestDatabase())`

			`// public organization repo`
			`repo := AssertExistsAndLoadBean(t, &Repository{ID: 32}).(*Repository)`
			`assert.NoError(t, repo.getUnits(x))`

			`// plain user`
			`user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)`
			`perm, err := GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// change to collaborator to default write access`
			`assert.NoError(t, repo.AddCollaborator(user))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// org member team owner`
			`owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)`
			`perm, err = GetUserRepoPermission(repo, owner)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// org member team tester`
			`member := AssertExistsAndLoadBean(t, &User{ID: 15}).(*User)`
			`perm, err = GetUserRepoPermission(repo, member)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`}`
			`assert.True(t, perm.CanWrite(UnitTypeIssues))`
			`assert.False(t, perm.CanWrite(UnitTypeCode))`

			`// admin`
			`admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)`
			`perm, err = GetUserRepoPermission(repo, admin)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`
			`}`

			`func TestRepoPermissionPrivateOrgRepo(t *testing.T) {`
			`assert.NoError(t, PrepareTestDatabase())`

			`// private organization repo`
			`repo := AssertExistsAndLoadBean(t, &Repository{ID: 24}).(*Repository)`
			`assert.NoError(t, repo.getUnits(x))`

			`// plain user`
			`user := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)`
			`perm, err := GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.False(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// change to collaborator to default write access`
			`assert.NoError(t, repo.AddCollaborator(user))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`assert.NoError(t, repo.ChangeCollaborationAccessMode(user.ID, AccessModeRead))`
			`perm, err = GetUserRepoPermission(repo, user)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.False(t, perm.CanWrite(unit.Type))`
			`}`

			`// org member team owner`
			`owner := AssertExistsAndLoadBean(t, &User{ID: 15}).(*User)`
			`perm, err = GetUserRepoPermission(repo, owner)`
fix bug when update owner team then visit team's repo return 404 (#6119) 2019-02-22 19:14:45 +03:00			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// update team information and then check permission`
			`team := AssertExistsAndLoadBean(t, &Team{ID: 5}).(*Team)`
			`err = UpdateTeamUnits(team, nil)`
			`assert.NoError(t, err)`
			`perm, err = GetUserRepoPermission(repo, owner)`
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 14:26:14 +03:00			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`

			`// org member team tester`
			`tester := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)`
			`perm, err = GetUserRepoPermission(repo, tester)`
			`assert.NoError(t, err)`
			`assert.True(t, perm.CanWrite(UnitTypeIssues))`
			`assert.False(t, perm.CanWrite(UnitTypeCode))`
			`assert.False(t, perm.CanRead(UnitTypeCode))`

			`// org member team reviewer`
			`reviewer := AssertExistsAndLoadBean(t, &User{ID: 20}).(*User)`
			`perm, err = GetUserRepoPermission(repo, reviewer)`
			`assert.NoError(t, err)`
			`assert.False(t, perm.CanRead(UnitTypeIssues))`
			`assert.False(t, perm.CanWrite(UnitTypeCode))`
			`assert.True(t, perm.CanRead(UnitTypeCode))`

			`// admin`
			`admin := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)`
			`perm, err = GetUserRepoPermission(repo, admin)`
			`assert.NoError(t, err)`
			`for _, unit := range repo.Units {`
			`assert.True(t, perm.CanRead(unit.Type))`
			`assert.True(t, perm.CanWrite(unit.Type))`
			`}`
			`}`